Session-based authentication is the third and most simple type of authentication in Magento. We do not have any complexities of token-passing here. As the customer, we log in to the Magento storefront with our customer credentials. As an admin, we log in to the Magento admin with our admin credentials. Magento uses a cookie named PHPSESSID to track the session where our login state is stored. The Web API framework uses our logged-in session information to verify our identity and authorize access to the requested resource.

Customers can access resources that are configured with anonymous or self-permission in the webapi.xml configuration file, like GET /rest/V1/customers/me.

If we try to open the http://magento2.ce/rest/V1/customers/me URL while in the browser, but not logged in as the customer, we would get a response as follows:

<response>
    <message>Consumer is not authorized to access %resources</message>
    <parameters>
        <resources>self</resources>
    </parameters>
</response>

If we log in as the customer and then try to open that same URL, we would get a response as follows:

<response>
    <id>2</id>
    <group_id>1</group_id>
    <created_at>2015-11-22 14:15:33</created_at>
    <created_in>Default Store View</created_in>
    <email>[email protected]</email>
    <firstname>John</firstname>
    <lastname>Doe</lastname>
    <store_id>1</store_id>
    <website_id>1</website_id>
    <addresses/>
    <disable_auto_group_change>0</disable_auto_group_change>
</response>

Admin users can access resources that are assigned to their Magento admin profile.